Re: HP security bug report contact?

Richard Johnson (
Sun, 04 Sep 1994 12:48:46 -0600

  From the keyboard of:  Steve Kennedy <>

  According to Helen O'Boyle
  > Just as the subject line says, to whom at HP do I report a security hold
  > in an hpux component?
  > Since this is HP-specific, I'll give HP a shot at it before I call CERT.
  Report it to your local HP responce centre and tell them to escalate it !!!
  Get names ...
  Also report it to CERT who will also try and track it.

HP has a security alert mail address now.  Here's what it says in their
periodic security bulletins:

|| If you have concerns about security issues, please forward them to:
|| The security-alert node is monitored during working hours Pacific Daylight
|| Time by multiple HP Security Response Team personnel. We reply to your
|| message only if necessary to obtain additional information.

I'd suggest giving them a tantalizing glimpse, so they have to reply asking
for more info, just to be sure that address isn't a black hole.  But that's
just me. :-)

To get the hp security bulletins, send a message to
with the command
  subscribe security_info
in the body.
